Secure networked transaction system

ABSTRACT

A method and system for approval by a verification computer of an online transaction between a user computer and a merchant computer over the Internet. The user computer transmits a transaction request to the merchant computer, which may include a product to be purchased and the payment amount. The merchant computer transmits to the verification computer a verification request including a first data string associated with the payment card (such as a debit card account number or a portion thereof) and the payment amount. The verification request is stored at the verification computer with a transaction identifier and a verification data string, which are also transmitted to the merchant computer. The merchant computer stores the verification data string as an expected verification data string and the transaction identifier, transmits the transaction identifier to the user computer, and the user computer transmits the transaction identifier to the verification computer. This may be accomplished by the merchant computer redirecting the web browser of the user computer to the verification computer. The user computer also transmits a second data string associated with the payment card (such as the PIN for the debit card) after being requested by the verification computer. The verification computer uses the transaction identifier received via the user computer to retrieve the verification request previously stored with that received transaction identifier, and then it performs a verification step by using the first data string associated with the payment card retrieved from storage and the second data string associated with the payment card received from the user computer to verify if the transaction should be approved, e.g. by determining if an account associated with the payment card is sufficient to cover the payment amount in the verification request. The verification computer will, upon successful verification that the transaction should be approved, transmit a verification approval message to the user computer, which includes the transaction identifier and the verification data string associated therewith as a confirmation verification data string, and the user computer transmits the verification approval message to the merchant computer. This may also be accomplished by the verification computer redirecting the web browser of the user computer to the merchant computer with the appropriate data. The merchant computer uses the transaction identifier in the verification approval message to retrieve an expected verification data string it had previously stored. The merchant computer then compares the expected verification data string with the confirmation verification data string from the verification approval message and indicates that the transaction has been approved if the comparison is positive.

BACKGROUND OF THE INVENTION

The present invention relates to systems that allow debit cards, creditcards, Direct Check/ACH and other financial transaction instruments tobe used in networked purchasing environments between a merchant,customer, and a third party processor. The third party processor acts asan intermediary or clearinghouse for transactions.

Debit cards such as those typically provided by financial institutionssuch as banks or credit unions require the card to be encoded or thesystem to be encoded to recognize the card/Personal IdentificationNumber (PIN) combination. When used at an ATM or point of sale terminal,the system contacts the financial institution or a representativethereof with the user's account number and PIN number. The account ischecked to determine whether sufficient funds exist for the purchase orcash request. The system records the parameters of the transaction tomake the updates to the accounts such that the funds are transferredbetween parties of the transaction.

Prior art systems utilize various data encryption methods to secure thetransmission of the customer's debit card/account number, customer's PINnumber, the merchant's ID or code, to the various banking andtransaction clearing systems that are checked at the point of sale suchthat an approval number is received by the merchant indicating that thetransaction has been approved. The point-of-sale system or a separatecard reader is used to connect directly to the clearing system.

While this type of transaction allows a user to directly pay forpurchases at the point of sale, it allows the potential for anunscrupulous merchant, or a party intercepting communications to haveaccess to the user's account number and PIN number.

In an e-commerce environment, the user accesses a merchants web site,indicates the items to be purchased and is requested to supply somemeans to pay for the items during the checkout process. The usertypically enters the credit card number and the expiration date of thecard to secure the credit transaction and shipping preferences. Themerchant receives this information and generates a request that istransmitted to a credit clearing system that requests approval for thepurchase and transfers back an approval code to the merchant. Themerchant may at this point indicates to the customer that the purchasewas successful and supplies an approval page to the customer.

Since the transaction occurs over the Internet, users have concerns overthe privacy and security of the information entered. These privacy andsecurity issues limit the amount of customers that use these forms ofcommerce at this time. Businesses have been trying to generate morerobust security mechanisms to calm nervous customers, but these systemstill require the customer to provide the complete billing informationto the merchant to complete the sale. Robust encryption processes helpto reduce the customer's anxiety to some extent.

While credit cards are commonly used in point-of sale and on-linetransactions, the merchant is charged a variable fee for the transactionby the credit authorization system based on the risk of the purchase. Ahigher rate for example, may be charged where the user is not at thepoint of sale, but is instead making the purchase at a remote locationvia a computer. The potential for fraud may be increased when thecustomer is not visible. Since the credit card company has power to actagainst unscrupulous merchants and to protect the consumer against fraudby merchants, customers are less concerned about the credit transactionthat they would be regarding a debit transaction.

In contrast to credit purchases, there are no intermediaries to protecta customer when a debit transaction occurs. Debit transactions incontrast cause direct modifications to the clients bank account orfinancial assets held in a financial institution. The customer isvulnerable to direct funds transfer and withdrawal activity if someoneperforms these types of transactions without the customer's knowledge.

What is desired therefore is a system for allowing a customer topurchase items where the customer is not required to give the PIN numberof the debit card to a merchant during an on-line purchase. It isanother object of the present invention that the merchant or any partyintercepting a communication between the customer and merchant, neverhas access to the customer's PIN number throughout the transaction. Itis a further object of the present invention that all the informationrequired to complete a transaction never exists in one transmission onthe public network.

It is an object of the invention to provide a system where a third partytrusted verification system is contacted during the purchase process bythe merchant to request the processing of a customer's debit transactionwhere the merchant only knows the card number (or a portion of it). Thetrusted verification system separately receives the PIN number from thecustomer and processes the transaction with the credit/debit processingsystem. The functionality performed by the trusted verification systemmay be performed by the debit card organization/bank directly.

SUMMARY OF THE INVENTION

The present invention, in summary form, allows a customer at a customercomputing device, interacting with a merchant's computer system/website, to buy an item with a Debit/Check or credit card. The merchanttransmits details of the transaction to a trusted third partyverification system (TVS) including card number, merchant number, andtransaction amount. The verification system returns a transaction ID andunique verification data string to the merchant. The merchant redirectsthe customer to the verification system site, passing the transaction IDas part of the communications address. The verification system interactswith the user to acquire the PIN number for the debit/check card, or theexpiration date and/or the CVV2 number for a credit card. Using thepassed-in transaction ID and the acquired password (PIN), theverification system retrieves the merchant information from it'sdatabase, and provides the merchant number, card number, pin andtransaction amount to the gateway of the Debit/Check card processingnetwork. Upon retrieving a positive verification of the transactionsuccess, the customer is redirected to the merchant site, passing thetransaction ID and a unique verification as part of the redirection. Themerchant's system compares the provided verification data string againstthe expected verification data string it had earlier received from theverification system. If they match, the merchant knows the transactionwas successfully completed.

Thus, in particular, in one exemplary embodiment, provided is aninternetworked computer system and method having at least one usercomputer, at least one merchant computer, and a verification computerinterconnected to a computer network such as the Internet. The computerscarry out a method of approving an online transaction in conjunctionwith a payment card associated with the user computer. The methodincludes the steps of the user computer transmitting a transactionrequest to the merchant computer, which may include informationassociated with a product to be purchased by the user computer and thepayment amount associated with the product. The merchant computer thentransmits a verification request to the verification computer, theverification request including a first data string associated with thepayment card (such as a debit card account number) and optionally anindication of a payment amount associated with the transaction request.The verification request is then stored at the verification computer inassociation with a transaction identifier and a verification datastring, and the transaction identifier and the verification data stringare transmitted from the verification computer to the merchant computer.The merchant computer stores the verification data string as an expectedverification data string and the transaction identifier. The merchantcomputer then transmits the transaction identifier to the user computer,and the user computer transmits the transaction identifier to theverification computer. This may be accomplished by the merchant computerredirecting the web browser of the user computer to the verificationcomputer with the appropriate data. The user computer also transmits asecond data string associated with the payment card (such as the PIN forthe debit card) after being requested by the verification computer.

The verification computer uses the transaction identifier received viathe user computer to retrieve the verification request previously storedwith that received transaction identifier, and then it performs averification step by using the first data string associated with thepayment card retrieved from storage and the second data stringassociated with the payment card received from the user computer toverify if the transaction should be approved, e.g. by determining if anaccount associated with the payment card is sufficient to cover thepayment amount in the verification request.

The verification computer will, upon successful verification that thetransaction should be approved, transmit a verification approval messageto the user computer, which includes the transaction identifier and theverification data string associated therewith as a confirmationverification data string, and the user computer transmits theverification approval message to the merchant computer. This may also beaccomplished by the verification computer redirecting the web browser ofthe user computer to the merchant computer with the appropriate data.The merchant computer uses the transaction identifier in theverification approval message to retrieve an expected verification datastring it had previously stored. The merchant computer then compares theexpected verification data string with the confirmation verificationdata string from the verification approval message and indicates thatthe transaction has been approved if the comparison is positive.

In the case where the payment card is a debit card, then the first datastring is an account number associated with the debit card and thesecond data string is a PIN. In the case where the payment card is acredit card, then the first data string is an account number associatedwith the credit card and the second data string is an expiration date orthe CVV2 number.

Optionally, the verification computer determines if an accountassociated with the payment card is sufficient to cover the paymentamount in the verification request by communicating with a gatewaycomputer associated with an existing credit approval system.

BRIEF DESCRIPTION OF THE DRAWING

FIG. 1 is a representation of the system components of the presentinvention;

FIG. 2 is a process diagram of the method of the present invention;

FIG. 3 is a representation of the front face of a debit card of thepresent invention;

FIG. 4 a representation of the rear face of the debit card of thepresent invention;

FIG. 5 is a representation of a prior art credit processing fields foron-line transactions;

FIG. 6 is a representation of the debit card entry fields for on-linetransactions of the present invention;

FIG. 7 is a process step diagram of the present invention;

FIG. 8 shows the icons associated with a sampling of the various debitprocessing network members that exist;

FIG. 9 is a representation of an interface form for providing the PINinformation that is delivered to a customer from the verificationsystem.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

The present system will be described with regard to FIG. 1, for allowinga user to make purchases at a networked e-tailer or retail locationusing a payment card such as a debit card or credit card. In thepreferred embodiment, the customer that wishes to purchase a product mayaccess the web site of the merchant using a web enabled device such thatthe customer may access a purchasing interface provided by or for thatmerchant. The customer would typically use a desktop computer, set topbox, or any other type of device capable of communications through anetwork. For example, a customer from a Pentium class computer with adisplay, keyboard, mouse and processor executing an operating systemsuch as Windows CE, 95, 98, MAC O/S, or Linux or Unix with acommunication connection to a network such as the Internet may execute aweb browser such as Internet Explorer or Netscape to access themerchant's web site. Wireless and satellite communication devices mayalternatively be used by the customer to communicate with theverification system and perform steps associated with completing thetransactions associated with a purchase.

The merchant computer 20 may be a terminal connected to a network, apoint of sale system, or a personal computer system, or server basedsystem connected to a network that is capable of connecting to amerchant server web site. For Internet-based communications where amerchant web server is provided, the server may comprise any networkedcomputing devices capable of serving interface programs that customersmay access to indicate desired purchases. The merchant computercomprises communication means, storage means, and one or more processorsto support the execution of the required processes. The merchantcomputer may optionally have one or more monitors, and input devicessuch as keyboard, mouse, and mag-stripe reader. The mag-stripe reader isalso known as a card-swipe reader, or card-swipe device.

The verification system therefore is a networked computer system thatcomprises communications means for receiving requests from merchants andfor communicating with customers during the purchase process. Thecommunication means also permits the verification system to communicatewith debit/credit card processing systems to process transactions forpurchases. The verification system comprises memory means for retainingmerchant records and customer records, and processor means for managingtransactions.

The method of the present invention will now be described with regard toFIG. 2. A customer at a customer computing device such as a usercomputer, interacting with a merchant's computer 20 system/web site,decides to buy an item with a payment card such as a debit/check card orcredit card 40 at step 100. The user computer sends a transactionrequest, which will include details of the desired item such as adescription and the payment price, to the merchant computer. Thetransaction request will also include a first data string associatedwith the payment card, such as the debit card number. The merchantcomputer 20 transmits a verification request comprising details of thetransaction to a trusted third party verification computer system (TVS)30 at step 110. The verification request will include information suchas the debit card account number 42 (see FIG. 3), merchant number (asdetermined from the merchant system) and the transaction amount. Theverification computer 30 stores the verification request in associationwith a unique transaction identifier and verification data string thatit has generated, and then returns the transaction identifier andverification data string to the merchant computer 20 at step 120. Themerchant computer 20 then sends the transaction identifier to theverification computer via the user computer, for instance by issuing aredirect command to the user computer's web browser such that the usercomputer is redirected to the verification computer. The redirectcommand includes the passing of the transaction identifier that wasreceived from the verification computer as part of the communicationsaddress (e.g. a parameter of a URL).

The verification computer receives the transaction identifier from theuser computer and interacts with the user computer at step 150 toacquire the PIN number for the debit/check card 40 at step 160. That is,after receiving the transaction ID as part of the redirect, theverification computer will send a browser form to the user computer,inviting the user to enter the PIN as a second data string associatedwith the payment card. Using the passed-in transaction identifier andthe acquired PIN (or the expiration date and/or CVV2 if the payment cardis a credit card), the verification computer retrieves the merchantinformation from it's database 32 at steps 162 and 164, and mayoptionally retrieve records for the customer in a customer database 34at step 166, and performs a verification process using the first datastring, the second data string, and the transaction amount. Theverification process may be performed externally by providing themerchant number, card number, PIN and transaction amount to the gatewayof the Debit/Check card processing network 50 at step 170.Alternatively, the verification may be done internally if theverification computer is actually part of the credit network.

Upon retrieving a positive verification of the transaction success atstep 180, the verification computer sends an approval message to themerchant computer via the user computer; i.e. the customer is redirectedto the merchant computer at step 190, passing the transaction identifierand a verification data string as part of the redirection at step 200back to the merchant computer. Alternatively, the merchant's system mayreceive a separate notification message from the verification system 30with the approved transaction identifier and verification data string.The merchant's system compares the provided verification data stringagainst the expected verification data string it had earlier receivedfrom the verification system. If they match, the merchant knows thetransaction was completed.

The method derives additional security because the merchants never haveenough pieces of information to complete the transaction by themselves.The security of acquiring the PIN is enhanced because the networktransmission containing the PIN never contains the corresponding cardnumber and vice versa. Using readily available secure transmissionprotocols further increase security of all network transmissions.

This method is unique in that the merchant or any party intercepting acommunication never has the customer's PIN number. It is further uniquebecause the Debit/Check card and PIN numbers were never transmittedtogether during any part of the network exchanges between any of thethree parties.

The debit card may be any type of debit card currently recognized bysome of the present transaction service providers. The debit cardtypically has embossed characters 42 for the financial institution 43and account number 44 where the characters are raised above the front ofthe card (see FIG. 3) The most commonly quoted standards are the ISO/IEC7810, 11, 12 and 13 series of standards. These standards are written forthe credit and debit card market and so include information on theembossed characters on the cards as well as the track locations andinformation on the magnetic stripe that appears on the rear of the card45. ISO/IEC 7811 has six parts with parts two and six specifically aboutlow and high coercivity magnetic stripes. These standards includeinformation on the magnetic properties that guarantee that the stripecan be read in a magnetic stripe reader in the U.S.A. as well as inJapan. The companion to the ISO/IEC 7811 series of standard is ISO/IEC10 373. This document details the test methods for the ISO/IEC 7811series of standards.

Debit cards are preferably processed by the verification system throughthe existing ATM backbone of service providers. There are severaldifferent ATM backbone networks, and many have reciprocity agreements,so one ATM can usually talk to the bank of another system. Some of theicons for the providers are displayed in FIG. 8. A merchant that usesthe functionality of the present system would typically be providedapplets or modified HTML forms that direct the processing of debittransactions. For example, a modified form such as shown in FIG. 6 wouldcause a transaction to be generated to contact the verification systemthrough a first connection. Upon receiving the debit card information,the verification system may identify the appropriate ATM backbone to becontacted by interpreting the account number typed in by the customerand, or data read from the magnetic stripe of the debit card. A customerfrom a remote customer computer may be able to provide input to themerchant web page and the verification system using various hardwareperipherals such as a mag-stripe reader or keyboard and mouse to enterthe debit card number. If the customer is at a merchant location or onthe merchants web site, the merchant or customer may select or choosethe symbol of one of the ATM backbones indicated on the customer's cardfrom the web page. FIG. 9 shows an web page that might be used by thecustomer to select the ATM system and to enter the PIN number. Themerchant would have a similar form with the account number and withoutthe PIN number. In cases where the user has a card not supported by theATM or point of sale system, extra charges may be incurred whenperforming transactions with a card that does not belong to thepreferred system of the ATM or point of sale system. For example, onecard may be a member of Exchange, Plus, Interlink and CU Access. AnotherDebit card may be configured as a member of Honor, Interlink, andCirrus.

Generic card readers at merchant locations are configured to read fromany type of card. Visa and Mastercard for example, may perform analysisof the card to determine which financial institution holds the accountand additionally determines the type of account. The verification systemof the present invention may keep a database of card number to bankaccount number conversions to allow the verification system to bypassthe processing steps on the Visa/MC network and go straight to the ATMbackbone further reducing transaction costs to the system. For example,only the first time a customer used the verification system would thesystem go through the Visa, Mastercard clearinghouse. This could reducethe costs of transactions even further, enhancing profit margin orlowering costs to merchants or customers.

In the preferred embodiment, the user interface displayed on thecustomer's web browser upon redirect to the verification systemcomprises navigational buttons to allow the user to return to themerchant prior to completion of the transaction. The interface may havethe icons for the various debit service ATM backbones, as shown in FIGS.8 and 9, where the user may select the appropriate symbol for thetransaction such that the transaction is completed with the besttransaction rate for that card. If the user selects an incorrect icon orif the debit card is not supported by the system the user is informedthat the transaction cannot be completed with this card. The customermay be permitted to enter another card number and account at this timeif the user wishes to proceed with this transaction. The system will beable to reconcile a change in the card selected since the verificationdata string and transaction id are part of the current transaction. Thiswill cause an update of the record stored in the database that wasreceived by the TVS from the merchant.

If a user enters credit information into the debit field by mistake, therisk to the merchant is that someone really wanted to use a credit card.The system would be configured such that excess capability was availableto serve our pages, and the interface would provide an easy mechanismfor a user to backup to the merchant page to change the informationentered to the correct field. One benefit might be that the user has nowrealized that the debit option is available and might change the cardused for the purchase.

The following steps describe the process of purchasing via an Internetconnection in more detail.

1. The customer goes to merchant's web page and decides to buysomething. On the https:// page where they would normally enter a creditcard, there is also an option for a Debit/Check card. The customerenters their card number, and clicks the purchase button (buy it,whatever, just like they do now).

2. Because it is a Debit Card purchase, the merchant establishes acommunications channel with the verification system and sends the cardnumber, merchant ID, and the transaction amount.

3. The verification system returns to the merchant a data blockcontaining a session ID, and verification information.

4. The merchant redirects the customer's web browser to the verificationsystem server, passing the transaction ID as part of the address.

5. The verification system looks up the transaction informationcorresponding to the transaction ID, and presents a page to the customerrequesting the information to complete the transaction, such as the PINnumber and optionally the symbol representing the ATM backboneprocessing network, and/or other information from the card.

6. The verification system forwards the combined transaction informationto the ATM backbone for completion of the transaction.

7. The verification system gets verification/approval from the backbone.

8. The customer is redirected back to the merchant web site, passing theexpected verification block to the merchant as part of the address.

9. The merchant compares the verification block to the one receivedduring the initial communication with the verification system, and ifthey match, knows that the transaction was successful.

In this mode of operation, the merchant never gets the pin. Theverification system is the trusted third party and performs thecommunications with the financial backbone networks.

Optionally, software may be installed on the customer's machine and runlocally that will retrieve customer information such as the PIN, andthen using further cryptography techniques, pass that information to theverification system.

The system of the present invention may also be used for credit cardprocesses or any other type of transaction where a third party (theverification server) holds part of the transaction information. Forexample, where the expiration date is held by the verification serverfor credit card transactions. Another example would be where a portionof a prepaid debit card may be provided to a third party, such that whenthe card is used at a merchant location, only part of the account numberis known to the merchant. The customer would provide the remainder ofthe account number during the verification of the second part of thetransaction with the customer.

The system may be used for the monthly billing transactions forinsurance companies, gas credit cards, phone bills (bells and cellular),even email from your cellphone provider. For example, your Cell-phonebill for the month of March has been mailed to address which has a linkprovided to the system of the present invention such as “Try our OnlineDirect Check payment service by going to http://address . . . ”.

In another embodiment of the present invention, a functionality forcheck processing may be provided by the system. The backend for thepresent verification system is also capable of doing a new AutomatedClearingHouse (ACH) funds transfer process. By getting the bank routingnumber and account number off of a check, funds can be transferred fromthe customer's account do operate with checks without requiring aprinted check. Some merchants currently use a process where they mayhandle electronic payment by check but they are actually waiting for areal check. The processing costs associated with handling paper in thisway could exceed that of credit cards. By utilizing the ACH/Direct Checkmethod from the verification server, they could significantly reducethis cost, as well as offering another payment option to entice theircustomers. This is by far the cheapest option in terms of transactioncosts. For an insurance company, it is actually cheaper than handlingpaper checks.

An additional feature of the system may incorporate an escrow option.The money for a transaction may be held in the verification systemescrow account for a specified number of days and/or the customer mustconfirm receiving the goods before the money is released to themerchant's account.

System Advantages

the merchant never gets the PIN number.

the information to complete a transaction can never be intercepted by“eavesdropping” on any one channel of the communications betweencustomer, merchant, or verification system.

the verification system is trusted because the verification systemconforms to the requirements of the different backbone processors.

the net address of both the merchant and the customer may be held foruse in fraud cases, however, the verification system would not be aparty to the transaction done on behalf of the merchant.

Other Benefits of the System

Many debit cards are also associated with major credit card companies insuch a way that they can also be used as credit cards. We can enhancethe security of using these cards for debit card transactions, byrequiring that the merchant NOT request all of the numbers of the cardand its expiration date, thus minimizing the possibility that the debitcard can be used in an unauthorized credit card transaction. This makesthe cards more easily managed and more secure than typical credit cardtransactions. For example, a merchant cannot make an unauthorized creditcard transaction without the full account number and the expirationdate. For debit card transactions this date is not required, instead thecustomer is the only person with enough information to respond to thequery for the PIN number. The merchant never has the pieces to do adebit transaction without the user entering the pin on the verificationserver site.

Internet merchants are paying 2.2 to 6% to a clearinghouse organizationto take credit cards over the Internet. This is referred to as thenon-swiped rate (the card is not physically available to run through aterminal.) The rate is higher due to the potential for fraud. Becausethe present system will be able to provide the PIN number, thereforeproving to a greater extent that the customer is in actual possession ofthe card, a more favorable processing rate can be negotiated. The systemof the present invention can therefore give the merchant the chance todecrease their transaction costs.

The verification system subscribers such as preferred merchants wouldbenefit greatly from making the distinction up front between debit andcredit cards. For example, one potential customer uses a typical orderpage that looks like the sample shown in FIG. 5. By changing the page toinclude a debit card field, the transactions form would look more likeFIG. 6. Based on the preferential physical placement of the debit cardinformation, it would be more likely that a customer would choose thedebit option. The user may benefit if part of the cost savings arepassed onto them and the merchant would see a reduction in transactioncosts.

The customer computing device may alternatively be a device located at aretail location. For example, the user may use their debit card at thepoint of sale by swiping the card through a reader, then enter their PINnumber on a separate system that is connected with the verificationsystem of the present invention. The Internet-based verification stepwould be executed as a separate application having no direct connectionto the merchant transaction. This would of course require a shift in themerchant's and customer's paradigm of their understanding of a point-ofsale system. The separate components may be provided to allow thecustomer to establish a communication link to the verification system,where once connected, the customer may provide the remaining informationto complete the transaction without communicating with the point of salesystem.

1. A method of approving an online transaction between a user computer and a merchant computer interconnected over a computer network, in conjunction with a payment card associated with the user computer, comprising the steps of: a) transmitting a transaction request from the user computer to the merchant computer; b) transmitting a verification request from the merchant computer to a verification computer, the verification request comprising a first data string associated with the payment card; c) storing the verification request at the verification computer in association with a transaction identifier and a verification data string; d) transmitting the transaction identifier and the verification data string from the verification computer to the merchant computer; e) storing at the merchant computer (i) the verification data string as an expected verification data string, and (ii) the transaction identifier; f) transmitting from the merchant computer to the user computer the transaction identifier; g) the user computer transmitting to the verification computer (i) the transaction identifier, and (ii) a second data string associated with the payment card; h) the verification computer using the transaction identifier received from the user computer to retrieve the verification request previously stored by the verification computer with that received transaction identifier; i) the verification computer performing a verification step by using the first data string associated with the payment card retrieved from storage and the second data string associated with the payment card received from the user computer to verify if the transaction should be approved; j) upon successful verification that the transaction should be approved, the verification computer transmitting a verification approval message to the user computer, the verification approval message comprising the transaction identifier and the verification data string associated therewith as a confirmation verification data string; k) the user computer transmitting the verification approval message to the merchant computer; l) the merchant computer using the transaction identifier in the verification approval message to retrieve an expected verification data string previously stored; m) the merchant computer comparing the expected verification data string with the confirmation verification data string from the verification approval message; and n) the merchant computer indicating that the transaction has been approved if the comparison is positive. 2-113. (canceled) 